-- +goose Up
-- +goose StatementBegin

-- nftables custom rules. Generator merges these into the ruleset
-- emitted by internal/firewall on top of the base inet edgeguard
-- table. v1 has no CrowdSec/threat_intel sets (see architecture.md
-- §8 — those entries entfallen ohne IDS/IPS).
--
-- chain examples: input, forward, output, prerouting, postrouting.
-- match is the literal nft expression body, e.g.
--   "tcp dport 22 ip saddr 10.0.0.0/8"
-- action: accept | drop | reject | masquerade | dnat | snat
CREATE TABLE IF NOT EXISTS firewall_rules (
    id         BIGSERIAL PRIMARY KEY,
    chain      TEXT NOT NULL,
    priority   INTEGER NOT NULL DEFAULT 100,
    match_expr TEXT NOT NULL,
    action     TEXT NOT NULL,
    comment    TEXT,
    active     BOOLEAN NOT NULL DEFAULT TRUE,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT firewall_rules_chain_check  CHECK (chain IN ('input', 'forward', 'output', 'prerouting', 'postrouting')),
    CONSTRAINT firewall_rules_action_check CHECK (action IN ('accept', 'drop', 'reject', 'masquerade', 'dnat', 'snat'))
);

CREATE INDEX IF NOT EXISTS idx_firewall_rules_chain    ON firewall_rules (chain, priority);
CREATE INDEX IF NOT EXISTS idx_firewall_rules_active   ON firewall_rules (active) WHERE active;

-- +goose StatementEnd

-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS firewall_rules;
-- +goose StatementEnd